This blog has been online for about 10 hours. To put it more harshly: I’m a nobody on the internet. Yet, when I generated my first visitor report with goaccess, I saw that the bot army has already started attacking my server. A lot of suspicious-looking URLs have been requested:
/config/getuser?index=0/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php/api/jsonws/invoke/solr/admin/info/system?wt=json/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21/console//wp-content/plugins/wp-file-manager/readme.txt/Autodiscover/Autodiscover.xml/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
This is just a small sample but it is obvious that they are trying to exploit known vulnerabilities. These are absolutely harmless because this is a static website but there was one request that caught my attention:
/.env
My static site doesn’t have a .env file but I work on a lot of projects that
have one. I of course know that exposing the .env file is a mistake – it
usually contains passwords, keys and other sensitive information and in a
production environment, these should be in environment variables – but it is
very scary to see that this is among the first things hackers try – because
it’s so easy to accidentally copy it into a public directory.
So please, everyone: protect your .env!